Bug 1934737

Summary: ovn-kubernetes breaks with endpointstrategy: nodeportservice. iptables send all traffic back to ingress router
Product: OpenShift Container Platform Reporter: Josef Meier <josef.meier>
Component: NetworkingAssignee: Alexander Constantinescu <aconstan>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED DUPLICATE Docs Contact:
Severity: urgent    
Priority: unspecified CC: aconstan
Version: 4.6   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-10 16:29:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josef Meier 2021-03-03 18:34:53 UTC 
Hi,

today we migrated from OpenShiftSDN to OVNKubernetes. We use NetworkPolicies to seperate traffic between namespaces and were hoping that we can use them again with OVNKubernetes.

What we learned today is that NetworkPolicies don't work with OVNKubernetes, if the Router is working with "Endpointstrategy: HostNetwork".

So we followed the instructions in the docs and changed the Endpointstrategy to NodePortService in the IngressController CR.

Before we have set the NodePort range from 30000-... to 1-65535 so we can set the Ingress NodePort to 443 (our external LoadBalancer listens to this port).

Afterwards the NetworkPolicies worked again. 

But we had several new problems: Pulling images from docker.io or quay.io did not work. We sshed in our masters and workers and tried to curl google.de but we got the default application page from the OpenShift Router (??).

Further investigation showed that all network traffic from port 443 was forwarded to the OpenShift router with an IpTables rule.

We saw this issue in ovn-kubernetes that describes our problem rather good:

https://github.com/ovn-org/ovn-kubernetes/issues/1981

The issue should alread be fixed in upstream.

Because we can't use NetworkPolicies on OVNKubernetes and switching back to OpenShiftSDN is not an option in our setup, we urgently are waiting for a solution to this problem on OpenShift 4.6.

How to reproduce:
- use network plugin OVNKubernetes
- switch endpointstrategy to: nodeportservice
- set range of nodeports to 1-65535 in network CR.
- set the nodeport of the default ingress service to port 443
- try to curl google.com from one of the nodes. You will get the default application page from the OpenShift router instead of the google.com html code.

Thanks and greetings,

Josef
Comment 2 Alexander Constantinescu 2021-03-10 16:29:13 UTC 

*** This bug has been marked as a duplicate of bug 1928164 ***